Data Protection Policy
1. Introduction
At 11Exch, we are deeply committed to protecting your personal information.
This Data Protection Policy explains how we collect, process, and secure user data under global data protection frameworks — including the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act (DPDP), 2023 (India).
Our mission is simple: to ensure every bit of data shared with 11Exch is used lawfully, fairly, and transparently.
This policy complements our Privacy Policy, Security Policy, and Compliance & Security.
2. Objective
The purpose of this policy is to:
Protect the privacy rights of users, affiliates, and employees.
Define clear procedures for data collection, storage, and deletion.
Establish compliance with global data laws.
Provide mechanisms for user control and consent management.
It applies to all data handled by 11Exch, whether electronic, paper-based, or verbal.
3. Legal Framework
This policy complies with:
The Digital Personal Data Protection Act, 2023 (DPDP) – India
The Information Technology Act, 2000 (IT Act)
The General Data Protection Regulation (EU GDPR)
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
International ISO 27001:2022 data security standards
Our compliance and security measures are regularly audited, with summaries published in our Transparency Report.
4. Principles of Data Protection
We follow the seven universal data protection principles, which form the foundation of our operations:
| Principle | Description | Policy Reference |
|---|---|---|
| Lawfulness & Fairness | Data is collected only for legal, transparent, and ethical purposes. | Privacy Policy |
| Purpose Limitation | Data is used strictly for the purpose stated at the time of collection. | Legal Policy |
| Data Minimization | We collect only what’s necessary for legitimate use. | Compliance & Security |
| Accuracy | We ensure information remains up to date and accurate. | Corrections & Updates |
| Storage Limitation | Data is retained only as long as required. | Refund Policy |
| Integrity & Confidentiality | Encryption and secure access controls safeguard all data. | Security Policy |
| Accountability | Every action on user data is logged and traceable. | Transparency Report |
5. Categories of Data We Process
We collect and process two main types of data:
A. Personal Data
Full Name
Contact Details (Email, Phone)
Age Verification Documents (for 18+ validation)
ID / KYC Documents (for affiliates)
Bank / UPI Information (for payouts)
B. Non-Personal Data
Browser type and device identifiers
IP address and location metadata
Cookies and analytics insights
User behavior data (page views, clicks, session duration)
All processing is covered under the Privacy Policy and Cookie Policy.
6. Purpose of Data Processing
We process data for the following lawful purposes:
User registration and ID facilitation.
Verification under AML & KYC Policy.
Affiliate commission tracking and reporting.
Service delivery, personalization, and performance analysis.
Marketing and promotional communication (with consent).
Legal compliance and fraud prevention.
We do not sell or rent personal data to any third party.
7. Consent Management
Data is collected only after explicit user consent.
You may:
Grant consent via online forms or registration.
Withdraw consent anytime by contacting privacy@11exch.com.
Manage preferences under your account settings or cookie banner.
Consent requests are specific, time-bound, and recorded securely under the Compliance & Licensing framework.
8. Data Retention & Deletion
Data is retained only as long as required for its intended purpose or to meet legal obligations.
Once retention limits expire:
Personal data is securely deleted or anonymized.
Transactional records are archived for audit use (max. 5 years).
Affiliate and account data are deleted upon termination or inactivity (after 90 days).
Deletion activities are logged and verified by our compliance team, following the Security Policy.
9. Data Subject Rights
Every 11Exch user enjoys full data protection rights, including the ability to:
Access your personal data stored with us.
Rectify incorrect or outdated information.
Request deletion (“Right to be Forgotten”).
Restrict processing in specific scenarios.
Withdraw consent at any time.
Request a copy of your data (Right to Portability).
To exercise these rights, email privacy@11exch.com or use our Grievance Redressal form.
10. Data Security & Encryption
We apply state-of-the-art encryption and control systems to protect user data, including:
256-bit SSL for secure communication.
AES-256 encryption for stored data.
Firewall and DDOS protection for server stability.
Access control logs to track employee and system access.
All systems are continuously monitored under our Security Policy.
11. Third-Party Data Processors
11Exch partners only with verified and compliant service providers who:
Operate under binding contracts aligned with GDPR & DPDP.
Meet ISO 27001 or equivalent standards.
Limit processing strictly to the agreed purpose.
Third-party processors include analytics tools, payment gateways, and affiliate trackers, all verified under the Compliance & Licensing policy.
12. Data Transfers Outside India
If user data is transferred outside India (for hosting, backup, or analytics), we ensure:
Compliance with GDPR Chapter V and DPDP cross-border transfer clauses.
Encryption and contract-based protection agreements.
Transfers only to regions with adequate data protection laws.
Full details are disclosed annually in the Transparency Report.
13. Children’s Data
11Exch does not knowingly collect data from users below 18 years of age.
All accounts require age verification under the Age Restriction Policy.
Any data mistakenly collected from minors is deleted immediately.
14. Breach Notification
In the event of a data breach:
Users and regulators are notified within 72 hours (GDPR standard).
Affected users receive clear communication on scope and resolution.
The incident is logged under the Compliance & Security system and documented in the Transparency Report.
15. Staff Responsibilities
Every employee, contractor, or affiliate must:
Handle personal data lawfully and securely.
Report breaches or irregularities immediately.
Complete data protection training annually.
Staff access to user data is monitored and recorded for accountability.
16. Data Protection Officer (DPO)
Name: (To be assigned)
Designation: Data Protection & Privacy Officer
Email: privacy@11exch.com
Alternate: grievance@11exch.com
The DPO ensures compliance with data protection laws, manages user requests, and oversees coordination with regulatory authorities.
17. Auditing & Reporting
All data protection activities are subject to:
Quarterly internal audits.
Annual external compliance review.
Publication of audit summaries in the Transparency Report.
These ensure ongoing adherence to GDPR, DPDP, and IT Act provisions.
18. Policy Updates
This policy is reviewed bi-annually or whenever legal requirements evolve.
All updates are published in the Corrections & Updates section with timestamped changes for full transparency.
19. Complaints & Redressal
Users can submit complaints regarding data misuse or privacy violations via:
📧 privacy@11exch.com
📩 grievance@11exch.com
🌐 Grievance Redressal form
We resolve verified complaints within 15 working days, as mandated by the User Trust & Conduct policy.
20. Disclaimer
This policy describes how 11Exch protects and processes data.
It does not constitute a legal contract but reflects our commitment to lawful and ethical operations.
By using 11Exch, users agree to this policy, along with the Terms & Conditions and Privacy Policy.
🕓 Last Updated: October 15, 2025
© 2025 11Exch. All Rights Reserved.
For more details, refer to our Transparency Report for annual summaries of data handling, compliance status, and user rights enforcement.
